Changes should be deployed for each provider (AWS & Google) separately, first
run a “plan” action, and when you’re happy with the changes, run “apply”.

Within the Jenkins job, select the provider, zone & action. Once build is complete,
examine the logs before progressing to the next stage (Apply).

Please note:

Due to the Terraform state being held in an S3 bucket, you
will require access to the GOVUK AWS “production” account to roll changes for
both Amazon and Google.

The order in which you deploy to providers is not important.

You will not require credentials for Google Cloud. These credentials are stored
in Jenkins itself.

Making changes to internal DNS (govuk.digital and govuk-internal.digital)

Currently these zones are only used in environments running on AWS.

These DNS zones are hosted in Route53 and managed by Terraform. Changes can be
made in the govuk-aws and
govuk-aws-data repositories.
While GOV.UK migrates to AWS speak with Reliability Engineering for support
making your changes.

DNS for the gov.uk top level domain

Jisc is a non-profit which provides networking to
UK education and government. They control the gov.uk. top-level domain.

Requests to modify the DNS records for gov.uk. should be sent by email to
naming@ja.net from someone on Jisc’s approved contacts list. Speak to a
senior technologist member of GOV.UK or Reliability Engineering if you need to
make a change and don’t have access.

2nd line should be notified of any planned changes via email.

gov.uk. is a top-level domain so it cannot contain a CNAME record
(see RFC 1912 section 2.4).
Instead, it contains A records that point to anycast IP addresses for our CDN provider.

www.gov.uk. is a CNAME to www-cdn.production.govuk.service.gov.uk., which means that we
do not need to make a request to Jisc if we want to change CDN providers. Just change where
the CNAME points to.

Delegating service.gov.uk domains

At the moment Reliability Engineering are also responsible for delegating DNS
to other government services.

The request will arrive by email or Zendesk from a member of the GOV.UK Proposition
team. The request will contain the service domain name that needs to be delegated and
more than one nameserver hostname (usually ns0.example.com, ns1.example.com).

In Route 53, create a new node for the service domain underneath service.gov.uk
and add NS records for that node.

We do not manage DNS for service domains. If you get a request asking you to add
anything other than NS records, it should be rejected. This is so that we’re not
the single point of DNS for government.

There are ongoing plans to move this responsibility to a different part of GDS.

Other weird bits of DNS

If you receive a request to change any other DNS that hasn’t come from the GOV.UK
Proposition team, send it to them using the Zendesk group “3rd Line–GOV.UK Proposition”.